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Abstract — With the advent of cloud computing several security 
and privacy challenges are put forth. To deal with many of 
these privacy issues, 'processing the encrypted data' has been 
identified as a potential solution, which requires a Fully 
Homomorphic Encryption (FHE) scheme. After the 
breakthrough work of Craig Gentry in devising an FHE, 
several new homomorphic encryption schemes and variants 
have been proposed. However, all those theoretically feasible 
schemes are not viable for practical deployment due to their 
high computational complexities. In this work, a variant of 
the DGHV's integer based Somewhat Homomorphic 
Encryption (SHE) scheme with an efficient public key 
generation method is presented. The complexities of various 
algorithms involved in the scheme are significantly low. The 
semantic security of the variant is based on the two-element 
Partial Approximate Greatest Common Divisors (PAGCD) 
problem. Experimental results prove that the proposed scheme 
is very much efficient than any other integer based SHE 
scheme existing today and hence practical. 

Index Terms — Homomorphic Encryption, Implementation, 
Practicality, Efficient public key, Cloud security, Privacy. 

I. Introduction 

A Fully Homomorphic Encryption (FHE) scheme or a 
privacy homomorphism [1] supports "processing the data 
while it is encrypted" [2] [3]. The research on the topic has 
gained momentum after Craig Gentry's first construction of 
such a scheme [2] [3] based on the algebraic lattice theory in 
the year 2009. Since an FHE scheme allows delegation of 
computational tasks to the remote untrustworthy server, 
Gentry's breakthrough work has become an attractive 
solution, particularly for the security and privacy problems 
of cloud computing and the related applications. However, 
existing solutions are theoretically promising, but, far away 
from practical implementation due to high computational 
complexities involved. 

In simple words, an encryption scheme is said to be fully 
homomorphic when unlimited addition and multiplication 
operations are supported on the ciphertexts generated by it 
[2] [3] [6] . Such a scheme will have the capability to compute 
arbitrarily any function on the encrypted data. Data is 
encrypted bitwise, and the circuit representation of functions 
is exploited in order to evaluate a function on the ciphertexts. 
Apart from the two general requirements semantic security 
and correctness of the scheme, an FHE should meet two 
additional requirements, compactness and circuit privacy 
[5] . Achieving compactness poses a great challenge, which 
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means the size of the ciphertext should remain same (within 
the required bounds) irrespective of the function being 
evaluated. In his first construction, Gentry has formulated a 
three-step procedure to obtain an FHE scheme satisfying 
these requirements. This procedure includes, 1) Constructing 
a Somewhat Homomorphic Encryption (SHE) scheme that 
supports many additions, but, only a limited number of 
multiplications, 2) Squashing the decryption function of the 
SHE so that the scheme can evaluate its own decryption 
function (bootstrappability), and 3) obtaining the FHE by 
applying a ciphertext refreshing method periodically, for 
bootstrapping, to bring back the noise in the ciphertexts to 
the required low level once it exceeds a threshold value 
[2][3][6]. 

The FHE schemes developed so far based on the above 
blueprint are inefficient and impractical because of the 
colossal difference between the computational complexities 
of processing the ciphertexts and the corresponding plaintexts 
[12]. The major factors contributing to these high 
computational complexities are huge public key, large 
message expansion and the ciphertext refreshing Recrypt 
procedure. 

Many of the existing homomorphic encryption schemes 
support unlimited additions, and supporting unlimited 
multiplications is the main hindrance. In fact, the ciphertext 
refreshing procedure in the Gentry's FHE is introduced to 
allow for unlimited multiplications on ciphertexts. The issue 
of practicality of the FHE schemes arise several important 
questions. Principally, is it really necessary to follow the 
above blueprint for constructing an FHE scheme? How many 
multiplications on ciphertexts are required for any application 
in practice for supporting encrypted data processing? Or in 
other words, do we really need an FHE with capability of 
supporting unlimited multiplications? Several works 
[17] [3 1] [32] have tried to provide answers to these questions 
in the form of developing an SHE scheme suitable for certain 
practical applications. The essence is that, in practice there 
are several applications which involve many additions but, a 
few number of multiplications in the functions they use for 
manipulation of data, and hence an SHE scheme is sufficient 
for processing the encrypted data in these applications 
[ 1 1 ][ 1 7] [ 1 9] [20] . Despite this fact, no practical SHE schemes 
exist yet. 

A. Related work and recent advances 

Soon after the Gentry's FHE invention, three major variant 
schemes have appeared following the blueprint of his 
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construction. The first of these was devised by Smart and 
Vercauteren [4], the second one was by Van Dijk et.al. [5], 
and the third variant was by Brakerski and Vaikuntanathan 
[1 1]. Stehle and Steinfeld [7] suggested two optimizations to 
Gentry's scheme that lead to improvement in the complexity 
of decryption process from 0(n 6 ) to 0(n 3 5 ). Ogura et al. [8], 
Scholl and Smart [15] have proposed improvements to the 
key generation algorithm of Gentry's FHE scheme. The FHE 
of Brakerski and Vaikuntanathan [10] eliminated the step-2, 
i.e., squashing the decryption function, of Gentry's blueprint. 
A different technique was used by Gentry and Halevi [ 1 6] to 
eliminate this squashing step, which involves expressing the 
decryption function of the SHE as a depth-3 arithmetic circuit 
and switching between Multiplicatively Homomorphic 
Encryption (MHE) mode and SHE mode during the 
homomorphic evaluation of that circuit. Lauter, Naehrig and 
Vaikuntanathan [17] demonstrated the construction of an 
SHE, which can efficiently evaluate low degree functions. 
Brakerski et al.'s work [12] completely eliminated the 
bootstrapping process. 

The first attempt in the implementation of an FHE is by 
Smart and Vercauteren [4], but, they could not implement the 
bootstrappable version due to the assumption that the 
determinant of the lattice they used should be prime. 
Eliminating this prime determinant requirement and combining 
with several optimizations Gentry and Halevi [18] 
demonstrated the first implementation of the Gentry's original 
ideal lattice based scheme. Coron et.al. [9] have described the 
first implementation of integer based FHE scheme of [5] . Their 
major contribution was in reducing the public key size of the 
scheme in [5] from 0(n 10 ) to 0(« 7 ). Other efforts in 
implementing the variants of Gentry's scheme are, integer 
based symmetric key FHE implementation by Jibang Liu et al. 
[21], proof-of-concept implementation of Brakerski et al.'s 
SHE scheme [11] by Lauter et al. [17], Gentry's SHE 
implementation by Michal MikuS [13] and Smart and 
Vercauteren's FHE implementation by Henning Perl et al. [14]. 
The work of Vinod Vaikuntanathan [ 1 9] provides an expository 
survey of the recent advances in homomorphic cryptography. 
Jing-Li et al. [28] described the extension of Gentry's scheme 
[3] to larger message space. Govinda Ramaiah and Vijaya 
Kumari [29] and Hao-Miao Yang et al. [31] have proposed 
similar variant of the integers based scheme of [5] in separate 
works with an efficient public key generation method, which 
leads to a public key of size 0(n 3 ). Nevertheless, the scheme 
proposed by [29] uses a simple and straightforward method 
to achieve compactness. Coron et al.'s work [30] was an 
optimization of their previous work [9] in reducing the size of 
the public key of [5] to 0(« 5 ). Very recently another variant 
SHE is proposed by Govinda Ramaiah and Vijaya Kumari 
[32] . This scheme is capable of encrypting many bits together 
or integer plaintexts. 

B. Contributions of this work 

This paper presents a more concrete and secure version 
of the SHE theoretically proposed in [29] with implementation 
and more tangible performance details. Experimental results 
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show that, the computational complexities are drastically 
reduced, when compared to any other integer based SHE 
scheme existing today. This makes the proposed solution 
close to deployment in suitable practical applications. The 
method of key generation when combined with ciphertext 
refreshing procedure described in [5] using the optimization 
suggested by [7] leads to an efficient FHE scheme 
comparatively. 

II. Preliminaries 

A. Notation and basics 

In this paper, lower case italic letters denote the parameters 
used to represent sizes (bit-length) of various integers. 
Similarly, upper case letters denote the integers and real 
numbers, and bold upper case letters denote the sets. [ X] 
indicates rounding of the real number X to the nearest integer 
that is unique in the open interval (X- 1/2, X+ 1/2] . The quotient 
and remainder resulting from the division Z/P are designated 
by Q p (Z) = L Z/P 1 , and R p (Z) = Z - Q p (Z)P, respectively . The 
notation [Z] p or Z mod P is used interchangeably to represent 
modulo operation of Z with respect to P, which results in 
Rp(Z). Since Q p (Z) is defined by rounding to the nearest 
integer, R p (Z) e (-P/2, P/2] when Pis odd. lg X designates the 
logarithm of X to the base 2. Choosing a random integer X 

uniformly from a finite set S is indicated as X S . The soft- 

oh notation f{n) = 0(g(n)) is used to represent /(«) = 
0(g(n)lg k g{n)) for some k, ignoring the logarithmic factors 
and any other smaller additive complexities. AK-rough integer 
is an integer not having prime factors smaller than the integer 
K. It is suggested to refer [2], [3] and [5] for various definitions 
related to Fully Homomorphic Encryption. 

B. The DGHV scheme 

In this section, the construction of Van Dijk et.al's SHE 
scheme over the integers [5] is described. Let, n denote the 
security parameter. 

e denotes size of the secret key integer. In order to support 
homomorphism for sufficiently deeper circuits, e is taken 
as > T 9(>! lg 2 ji). 

The public key consists of many approximate multiples 
of the secret key integer. The approximate multiple of an integer 
is obtained by adding a small error or noise integer to its 
exact multiple. 

t denotes the number of integers in the public key. To use 
the leftover hash lemma (Lemma 2. 1, [5]) in reducing the 
security of the scheme to solving AGCD problem (defined 
below), t is taken as > g + m(lg k) 

r denotes size of the noise in each of the public key integers. 
To foil the brute-force attack against the noise, r is taken 
as <»(lg n). 

g denotes the size of each public key integer. For security 
against the lattice based attacks on the underlying AGCD 
problem, g is taken as co(e 2 lg «). 
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d denotes the size of the additional noise (d > r) used during 
the encryption of a plaintext bit. 

The parameter setting suggested by [5], claiming a 
complexity of 0(« 10 ) is, 

e = 0(« 2 ), r=n, d=2n, g = 0(n 5 ), t = g + n 

Figure. 1 shows the DGHV's SHE scheme with respect to the 

above parameters. 

1 . Sample P-^- {2 Z+l) n[2f" 1 , 2* ) to generate the secret 
key . i.e.. s ecret key is a random s-bit odd integer P. 

2. For { = 0, 1, t sample 1^<—D^jy), where the 
distribution, D S ,JF) 

= {Q^-Z n [0 = 2 r !P), R-^ZTI(-2', 2') : X=PQ+R} 
until the folio wine conditions are satis fied. 

Xi > Xs, ..... X : fXsls = 1 , and [ [Xj]r ] 2 = 

3. Output the public key PK = {Xj, X ( , X) and 
the secret key SK = P. 

£i5C)3,pf {PK, M e {0, I}): 

1. Choose noise for encryption: f>-£ — ZfX-2^. 2^}. 

2. Choose a subset JC{1. ..... fj. 

3. Compute the sum 5 = X . X 

4 . Output the ciphertext C = [M + 2{B + 5)]^ 

Decrypt Compute M = [ [ C ]> ]j 

Evaluate (PK : CKT, (d, ...... QJ ) : Let CKT b e the binary circuit 

tD be evaluated representing a Boolean function^ with XOR gates 
and AND gates (i.e.. CKT consists of mod-2 addition and 
multiplication fates) . Replace theXOR sates and AND fates of C 
with addition and multiplication gatjs that operate over integers. 
Let CKT, be the resulting generalized circuit and be the 
corresponding multivariate polynomial. Apply CKT, over the 

ciphertext integers {C L . . CJ. and oulput the resulting ciphertext 

C, that corresponds toJ^Ci, ..... CJ . 

Figure 1. The DGHV Somewhat Homomorphic Encryption Scheme 

The size of the public key in this scheme is 0(n 10 ) be- 
cause, the public key consists of t = 0(« 5 ) integers each of 
size g = 0(n 5 ). When the ciphertext expression (step 4 in 
Encrypt) is expanded, it takes the form (M+2B+PQ). The term 
(M+2B) « P, is the noise (the distance to the multiple PQ), 
which makes C an approximate or near multiple of P. The main 
problem which makes the scheme Somewhat Homomorphic 
is the rapid growth in this noise during multiplication opera- 
tion in Evaluate. For every multiplication, the bit length of 
the resulting noise equals the sum of the bit lengths of the 
multiplicand noises, which crosses the size of P/2 after cer- 
tain number of multiplications, resulting in incorrect 
decryption. Further, since P is odd it will not influence the 
parity of |_ C/Pl , and thus the decryption function can be 
written as [[C] p ], = [C- 1_ C/P] ] 2 , which is equal to the XOR of 
the Least Significant Bits (LSBsj of C and |_ C/P 1 , i.e., [[C] p ] 2 
= LSB(C) LSB( [ C/P] ). Even though this squashed 
version of the decryption function that involves a single 
gate applied to only two bits looks simple, the computation 
of [ C/P ] is so complex that the decryption circuit cannot 
handle it [6] . To make the scheme bootstrappable and conse- 
quently obtaining FHE by overcoming this problem, the 
ciphertext refreshing procedure suggested in Gentry's blue 
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print is applied. Since the optimizations suggested in this 
work target only the underlying SHE, discussion is restricted 
to the same in this paper. DGHV suggested different optimi- 
zations for achieving compactness. The simplest of those 
optimizations involve publishing an exact multiple of the se- 
cret key P, and reducing the ciphertext modulo that exact 
multiple after every addition and multiplication in Evaluate. 
This method is followed by [9] also, and the same technique 
is used for compactness of ciphertexts in the proposed 
scheme. The security of DGHV scheme is based on the hard 
problem of solving Approximate Greatest Common Divisors 
(AGCD), which can be defined as follows. 

Approximate Greatest Common Divisors Problem: The 
(r, e, g)- Approximate Greatest Common Divisors problem is, 
given polynomially many samples from the distribution 
D^ (P), for a randomly choosen e-bit odd integer P, output P. 

HI. The GV scheme 

In this section a more concrete and secure version of the 
variant scheme proposed by Govinda Ramaiah and Vijaya 
Kumari [29] with an efficient public key generation method is 
presented. The public key consists of two big integers X 
and X . Integer X is an exact multiple of the odd secret integer 
P and X is an approximate multiple, i.e., multiple of P 
containing some additive error R. To encrypt a plaintext bit 
M, first the erroneous integer X of the public key is added 
with some more additional noise R', resulting in another big 
integer say X . This X, is now multiplied with a random even 
integer 2N, the result is added to the plaintext bit and the final 
sum is reduced modulo the error-free integer X in the public 
key. For homomorphic evaluation of a function, the addition 
and multiplication operations in the corresponding 
generalized binary circuit are performed over ciphertexts by 
reducing the result of each addition and multiplication modulo 
the error-free integer X in the public key. The security of the 
scheme is reduced to the two-element Partial Approximate 
Greatest Common Divisors (PAGCD) problem. The parameter 
setting for the GV variant scheme is reviewed as follows. 
For the given security parameter n, 

e denotes the size of the secret key integer P. For achieving 

homomorphism in evaluation of sufficiently deeper 

circuits, e is taken as >d S(n lg 2 «). 
d is size of the multiplicative noise integer used for 

encryption. To avoid the brute -force attack against it, the 

size of this integer is taken as > 2n. 
r is the .size of the noise in the public key integer X , which 

is taken as co(lg n) to foil the brute-force attack against 

the noise. 

g is the number of bits in each of the public key integers. 
Roughly, g is the size of the factor Q in the multiples of P, 
in the public key. Since the public key consists of only 
two elements, the attacks related to two-element PAGCD 
problem (section IV) only are considered. Hence it is 
claimed that, it is sufficient to take g > e against the 
condition used in [5] as g > e 2 to thwart lattice based 
attacks on the AGCD problem with some arbitrary t number 
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of elements. Therefore, g is taken as co(e lg n). 

The suggested parameter setting with respect to the 
above discussion is, e = 0(n 2 ), r= n,d= 2n, and g = 0(n 3 ). 
The GV's SHE scheme is shown in Figure2. Superscript SP 
denotes that the algorithms are related to the proposed variant 
with Smaller Public key. 



KeyGen se (n): 



1. Sample P^*_ (2 Z +1)) P [2 " , 2 ) to generate the secret 

key. i.e., secret key is a random e-bit odd integer P. 

2. Sample R P ( -2', 2') to generate the noise for the 
public key integer. 

3. Choose two g-bit random integers Q , Q r For this, 
sample Q, S H [0, 2 s / P), for i = 0, 1 . 

4. Compute X = PQ , and X, = PQ, + R. 

5. Repeat the steps 2 - 4, if [XJ 2 = 0. That means, X will 
be an odd integer. The condition X > X specified in the 
DGHV scheme is omitted. 

). Output the secret key SK = P and the public key 

PK = (X„, X,). 

Encrypf* (PK, M E {0,1 } ): To encrypt a plaintext bit M E {0,1 ), 

1. Choose a random rf-bit integer N. For this, sample 

2. Sample R' w f (-2*,2 r ) to generate additional noise foi 

the public key integer X . 

3. Compute X, = X,+ R' 

4. Output the ciphertext C = [M + 2NXJ 

Decrypf sp (SK, C) and Evaluate sp (PK, CKT, (C,,....,C k )) algorithm; 
are same as that of the DGHV scheme with the only difference that 
for any two ciphertexts Cj and C, during the generalized circuii 
evaluation, every addition and multiplication operation is performec 

as, 

Add : Compute C a = [C l + CJ mod X , and 
Mul : Compute C m = [C,C,] mod X n 



Figure2. The GV Somewhat Homomorphic Encryption Scheme 

The appealing feature of this scheme is the smaller public 
key with only two integers of size 0(« 3 ) each. It is quite easy 
to see that GV scheme is a variant of the DGHV scheme for 
the chosen parameter setting. For Evaluate®, corresponding 
to the generalized circuit CKT o we have the following notion 
of permitted circuit. 

Permitted circuit: An arithmetic circuit with addition and 
multiplication gates is called a permitted circuit for the GV 
scheme if, for any set of integer inputs each < 2'' in absolute 
value, the maximum absolute value output by the circuit is 
< 2'' 2 . We denote the set of permitted circuits as CKT p . 

Theoreml. The GV scheme proposed is correct, compact 
and is algebraically homomorphic for the given plaintext 
M e { 0, 1 } , and for any circuit CKT E CKT p . 

Proof. Let us consider the fresh ciphertext output by 
Encrypt® (PK, M). We have, C = [M + 2NX 2 ] mod X Q 
= [M + 2N(R'+R+PQ 1 )] mod X 

= M+2N(R'+R)+P(2NQ 1 - K Q ) for some integer K> 
= M+2B+PQ' where B=N(R'+R), and Q'=(2NQ 1 -KQ ). For 
correct decryption of a ciphertext, the absolute value of the 
term (M+2B) should be always less than P/2. For the fresh 
ciphertexts, it is enough to verify the sizes of these values. 
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For the chosen parameters we have the bit length of (M+2B) 
is d = 2n and the bit length of P is e = nr. This shows that, the 
condition for correct decryption just discussed is satisfied. 
Hence, Decrypt® works properly for all the fresh ciphertexts. 
To prove the correctness with respect to Evaluate®, we use 
the notion of permitted circuit. It should be noted that, the 
integers mentioned in the definition of the permitted circuit 
corresponds to the noise in the ciphertexts. The noise in the 
fresh ciphertexts will be < 2 and we have 2 = P/2, for some 
odd integer P E [2 ,2). That means, when a permitted 
circuit is applied to a set of ciphertext integers, the maximum 
absolute value of the noise should be less than P/2, where P 
is the minimum value of the secret key integer that can be 
chosen. Now, in Evaluate®, let the circuit CKT g is applied to 

the ciphertext integers C 1 , , C. and the resulting ciphertext 

is C. Since the circuit CKT E CKT , the resulting noise in C 

S P ° 

after the Evaluate® will be less than P/2 for any P chosen 
from the specified interval for that particular instance of the 
scheme, which shows that the decryption works properly 
proving the correctness of Evaluate® . 

It is evident that the modular reduction results in an integer 
the size of which is always less than or equal to the modulus. 
Therefore, reduction with X produces an integer with size 
< IX I. Since, IX I is 0(« 3 ), this defines the bound for the 
ciphertext compactness. Thus, the size of the ciphertext 
resulting from Evaluate® is always < 0(« 3 ) irrespective of 
the circuit CKT being evaluated, which proves the 
compactness of the scheme. It can be easily verified that the 
modular reduction with X affects only the PQ term in a 
ciphertext and the noise remains unaltered. Hence, decryption 
works properly even after the modular reduction with X . 

Let, C =(M 1 +2B 1 +PQ 1 '), and C 2 =(M 2 +2B 2 +PQ 2 ') Addition 
in Evaluate® gives, 

C a =Cj+C 2 = (M 1 +M 2 )+2B a +PQ a , for some integers B a and Q a . 

Similarly, multiplication in Evaluate® gives, 

C =C,C , = (M,M,)+2B +PQ , for some integers B andQ . 

m 1 2 v 1 2 ' m^-m m ^-m 

It can be seen that for the given values of R and P, the values 
corresponding to the noise B and the integer Q in the fresh 
ciphertexts as well as the ciphertexts resulting from 
Evaluate®, all belong to the same intervals [2 ,2 ) and 
[0, 2 /P) respectively whenever the circuit being evaluated 
CKTE CKT p . Hence, C a decrypts to (Mj+IVLJ and C m decrypts 
to (MjM, ) correctly. □ 

Lemma 1. Letf(x ff ,xj be a multivariate polynomial in k 

variables with degree m and CKT be the corresponding 

arithmetic circuit. Then, CKTE CKT p if I f I (2<')"< 2'"', 
where I f I is the l x norm of the coefficient vector of f. n 

The above lemma defines the multiplicative capacity of 
the scheme and in turn the set of permitted polynomials. The 
number of multiplications supported corresponds to the 
degree m of the permitted polynomials, which can be given 
as. 



m ~(e -2-lgl / I) Id 
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IV. Security of the GV scheme 

Since GV scheme is a variant of the DGHV's SHE, the 
same strategy employed by [5] and [9] can be followed to 
base the security of the scheme on the hard problem of solving 
a version of AGCD called Partial Approximate Greatest 
Common Divisor (PAGCD). 

Two-element PAGCD problem: The two-element (r, e, g) - 
PAGCD problem is: For a random e-bit odd positive integer P, 
given X = PQ and X = PQj+R, where Q. ( i=0, 1 ), R are chosen 
from the intervals [0, 2 4 /P), and (-2 , 2 ) respectively, output P. 

Chen and Nguyen [23] shown that, solving PAGCD is 
relatively easier than solving General AGCD. However, as 
mentioned by them their attack's implementation parameters 
are suboptimal for medium and large challenges put forth by 
Coron et. al.[9]. Hence, if the security parameter n is 
appropriately chosen, the PAGCD problem will be intractable 
ensuring the semantic security of the scheme. We have the 
following theorem, similar to [5] in order to reduce the security 
of our scheme to the two-element PAGCD problem. 

Theorem 2. Let e, g, r, d be the parameters of the GV 
scheme, which are polynomial in the security parameter n. 
An adversary A with an advantage e against the scheme 
can be converted in to an algorithm B for solving the two- 
element (r, e, g )-PAGCD problem with success probability 
at least /2. The running time of B is polynomial in the 
running feme of A , n and 1/ 

Proof: Let A be the adversary against the GV scheme. 
The input to A is the public key generated by KeyGen SF and 
the ciphertext produced by Encrypt sp . The output of A is the 
plaintext bit M with probability 1/2+ E for a non-negligible . 
Now, as described in [5], the algorithm B that solves the twos 
element (r, e, g)-PAGCD problem is as follows. 

To start with, B takes the two public key integers 
X = PQ , X = PQj+R corresponding to an odd e-bit secret 
key integer P, as generated by KeyGen sp . Using the subroutine 
given in Figure3, B finds the LSB of the quotient Q p (Z) of a 
given integer Z e [0, 2*), with IRp(Z)l < 2. 



Input: Z e [0, 2*), with E* (Z)| < 2', and PK = (Xo, XJ 
Output : The L SB of Qr (Z) 

1 . For i = 1 to p oly (h) :' z do : if z is the ov erall 

advantage of ,v 

a'-L a 

2 . Cho o s ? an inteeer N- from [2 . 2 ), 

a plaintext bit M;£ {0. 1 }. another inteEer JJn' 

r T 

from (-2 . 2 ). and compute X; = R, +Xl 

3 . Set Q t- [Z4M,-4-2NiXa] modXi 

4. Call JK to predict a, *- A {PK, Q ) ft m is the 

plaintext c orresp ondin e to {Ri!Z) mod 2+M$ ti 
5; Set h t- m © M, © parity {Z) 
6. Output the majority vote among the t; l s. 



Figure 3. Subroutine for predicting LSB of the quotient 

In the line 5 of LSB-Quotient b. is the parity of Q p (Z). This is 
because, since P is odd we have, Parity(Q p (Z))= Parity(R p (Z)) 
Parity(Z). In the following Lemma 2 we show that, the 
ciphertext C. in line 3 of LSB-Quotient is distributed almost 
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identically to a valid encryption of ([Rp(Z)] +M.) for all but a 
negligible fraction of the public keys generated by the GV 
scheme. Therefore, A has a noticeable advantage in guess- 
ing the plaintext bit encrypted under PK. Due to this, LSB- 
Quotient will output LSB of (Q p (Z)) with overwhelming prob- 
ability. 

For any two integers Z ( = R p (Z 1 )+PQ p (Z 1 ) and Z 2 = 
Rp(Z,)+PQ p (ZJ, where the difference in the sizes of R,,(Z.) 
and P are as mentioned in the parameter setting, apply the 
binary-GCD algorithm as described in [5] finding the parity 
of both Q P (Z 1 ) and Q p (Z,) from LSB-Quotient above. After 
about O(g) iterations we get two integers say Z { ', Z 9 ' with 
Q P (Z 2 ') = and Q P (Z/) = 1, which is the odd part of 
GCD(Q p (Z [ ), Q p (ZJ). That means, we get finally some integer 
Z =binary-GCD(Z I> Z 2 ) = (XTKQJPJ, Q P (Z 2 ))P+R = lP+R n for 
some noise R . 

n 

To Recover P, the algorithm B takes the two public key 
integers X., X and applies the binary-GCD algorithm to them. 
Note that X , X are generated so that they have a common 
hidden P. Also, since Q , Q, ( i.e., Q P (X ), Q p (Xj)) are 
chosen at random from a very large interval, according to the 
theorem D, page 342, of [27], there is a very good probability 
of 6/ tt 2 = 0.61, that Q , Q l are co-prime (i.e., odd part of 
GCD(Q , Qj) is 1). Hence, GCD(X , X ( ) will return some 
Z = 1P+ R , with IR I < 2 with high enough probability. Now, 
again when the binary-GCD is applied to (X , Z), the sequence 
of parity bits of Q P (X ) in all the iterations will be the binary 
representation of Q P (X ) = Q . Since X is an exact multiple of 
P,P=X /Q, 

Thus, B is a solver of PAGCD and its overall success 
probability as analyzed in [5] is E/2 and its running time is 
polynomial in the running time of A , n and 1/e . □ 

Lemma 2. Let the parameters e,g,r,d are set as specified 
in the scheme. The secret key SK = P and the public key PK 
= (X , Xj) are chosen according to the KeyGen sp . For every 
integer Z e [0, 2 s ) , which is 2 r away from a multiple of P, 
consider the following distribution. 

C pK (Z)={ N^_Sn)[2^', 2 d ), R' <!_ If: (- 2\ 2 r ) : Output 

C'=[Z + 2N(R'+X 1 )] x } 
C pK (Z) is same as the distribution induced over the 
ciphertexts generated by Encrypt SF (PK, M = [[Z ] p ] 2 ), with 
overwhelming probability. 

Proof: For a given ciphertext C, the integer Q p (C) is uni- 
form in (-072, Qg/2] from the leftover hash lemma (Lemma 2.1, 
[5]). Let C'=[Z+2N(R'+X 1 )] Xo = M'+2B'+PQ', for some integers 
B' and Q'. Thus, the integer Z used to generate C' can be 
treated as a ciphertext generated by Encrypt sl '( PK, M' ). This 
is because, Z is 2' away from a multiple of P. Therefore, C' 
corresponds to the result of homomorphic addition of two 
ciphertexts corresponding to the plaintext bit (M' + M) with 
M = 0. Now, Theorem 1 shows that C' produces correct 
plaintext up on decryption. Also, consider the integer hash 

t d-l il 

function family, h : [2 , 2 ) >. % Q ^ , where 1 Qfl denotes 

integers mod Q„ , and h'(N) = [2NQ.L , with N chosen from 

d-l° d i Q ° 

[2 , 2 ). Clearly h is pair wise independent because, for any 

d-l d 

two integers N , N, chosen from [2 , 2 ), with N t # N,, 
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Pr ,[h'(N )= h'( N,)] is quite negligible and is almost zero. This 
is because, IQ I » INI and since Q , Q are fixed, modular 
reduction of 2N(R'+X ) with Q always produces different 
remainders for different values of N. Hence in C', the value of 
Q' is also uniform in (-QJ2, QJ2] and the claim follows. □ 

V. Known attacks 

In the GV scheme, for a given security parameter n the 
lowest possible size of the problem to solve the PAGCD 
problem is the public key (X , X ) for a given secret key integer 
P because, the noise in X is very much less when compared 
to the noise in the ciphertexts for a particular instance of the 
scheme. Therefore, the attacks against the two-element 
PAGCD problem only are described, i.e., against the public 
key only, claiming that the high noise ciphertexts (approximate 
multiples of P) successfully defend all these attacks. 

1) Factoring the exact multiple: For the chosen 
parameter values, the size of the exact multiple of P i.e., X is 
big enough so that, even the best known integer factoring 
algorithms such as the General Number Field Sieve [24] will 
not be able to factor X . Even if the factor P is targeted which 
is smaller than the size of total Q , algorithms such as Lenstra's 
elliptic curve factoring [25] takes about exp (0(^ e ))time to 
find P. But, it is to be noted that P will not be recovered 
directly as it is not prime and maybe further decomposed in 
to smaller primes. For enhanced security, X Q may be generated 
with P and Q as 2 1024 -rough integers as discussed in [32]. 

2) Brute-force attack on the noise: Given the public key 
integers X = PQ and Xj= PQ + R, where size of R is 0(n), the 
simple brute-force attack is: choosing an R form the interval 
(-2 , 2 ), subtracting it from X , and computing GCD(X Q , X - R) 
every time, which may be the required secret integer P. In a 
worst case, this process may need to be repeated for all the 
integers R in the specified interval. The complexity of this 
attack would be 2 0(g) for g-bit integers. 

3) Continued fractions and lattice based attacks: 
Howgrave Graham [22] described two methods to solve the 
two-element PAGCD problem. In simple terms the continued 
fraction based approach (Algorithm 1 1 , [22] ) recovers P if 
the condition R < P/Q is satisfied. Similarly, his lattice based 
algorithm (Algorithm 12, [22]) recovers P if the condition R < 
P / (PQ) 8 is satisfied for some real number e in (0,.., 1). Also, 
for the case of a two-element PAGCD problem, it is possible 
to recover P when rig is smaller than (e/g) 2 [5] . Since the 
chosen parameter setting does not satisfy these constraints 
the concerned methods fail to recover the value of P. 

VI. Performance and practicality 

A. Improvement in bit complexity 

The public key size of the DGHV scheme is 0(« 10 ). 
Generation of each public key element involves 0(« 5 . n 2 ) bit 
operations. This will take 0(« 12 ) computations to generate 
complete public key, which contains 0(« 5 ) elements. The 
ciphertext expansion in that scheme is « 5 . 

The public key in the GV variant consists of only two 
elements each having a size of 0(n 3 ) bits. Hence, the size of 
©2012 ACEEE 
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the public key is 0(n 3 ). The key generation complexity is 
0(n 3 .n 2 ) = 0(« 5 ) for generating two public key elements. This 
is a significant improvement over the SHE schemes of [5] and 
[9] . The encryption of a single bit plaintext, which involves a 
multiplication of 0(w 3 . n) and a modular reduction of the re- 
sulting 0(n 3 )-bit integer with 0(« 3 )-bit X Q takes 0(« 6 ) steps. 
The major factor contributing to the bit complexity of 
decryption is the modular reduction of 0(« 3 )-bit ciphertext 
with the 0(« 2 )-bit secret key integer P. This makes the 
decryption complexity roughly 0(« 6 ). Therefore, the overall 
theoretical complexity of GV variant is 0(n b ). Since a single 
bit plaintext is expanded to a ciphertext of 0(n 3 ) bits, the 
expansion ratio is also less, which is n 3 . TABLE I summa- 
rizes the comparative analysis with existing integer based 
SHE schemes. 

B. Experimental results 

The GV scheme is implemented in Visual C++ 2008 Express 
edition using Victor Shoup's Number Theory Library (NTL) 
[33] for the manipulation of big integers involved. The 
programs were run on a normal desktop PC with Intel Core 2 
Duo T5750 2GHz processor and 4GB RAM, in Windows 7 
Professional operating system environment. Experimentation 
was carried out to measure the time taken for various 
algorithms in the scheme, with different values of the security 
parameter. 



Table I. Summary Of Improvements 



I tem of co m p a ra on 


DGHV 
SHE \5\ 


CUNT SHE 

m 


GV 
SHE 


C ;nip= ernes a 


-Nb- 


Yes 


Yes 


Size o f the public- key 




6(n) 


OCn») 


Key Gen complexity 


0(« l2 > 


Q^) 


cV> 


Encrypt complexity 


CV) 


6(>i Li > 




Decrypt complexity 








Meia age expansion 


a? 






Overall complexity 


6f>r 2 ) 


O0i Li ) 


cV> 


Security base 


AG CD 


PAGCD 
(Error-free 
approximate 
C-CD) 


Two- 
element 
PAGCD 



The practical multiplicative capacity of the scheme is 
obtained at various levels of security. TABLE II below shows 
the values of parameters corresponding to different security 
levels: Toy, Small, Medium, and Large. The results correspond 
to the encryption of a single bit. All the times in TABLE III 
and TABLE IV are shown in seconds. 



Table II. Values Of Parameters At Different Security Levels 



Level of 
Secnriiv 


H 


e 


r 


i 


s 


Toy 


32 


1024 


32 


64 




Small 


54 


4355 


54 






Medium 


SO 


<5400 


30 


160 


512000 


Lars? 


m 


l«B4 


128 


25tf 





TABLE V gives the comparision of practical performances 
(time in seconds) of the GV scheme with two other 
implementations [9] [30], corresponding to the value of the 
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Table III. Practical performance at different security levels 



Level o F 
Security 


Security 
Parameter 
n 


Key Cen 
Time 


Encrypt 

Time 


Decrypt 
Time 


Toy 


32 


0.015 








Small 


64 


0.047 





0.013 


Medina 


M 


0.1S7 


0.01 6 


6.662 


Lar2= 


12 B 


0.507 


0.031 





Table IV. Practical Evaluation capacity of the scheme 



M 


Time for 


Time Tor 


Number of 




Addition. 


MulcLp Ilea [Lou 


ajuLdpLLcaiLOLU 




o f two bits 


c f hro bits 


over a fresh 








cipberi ex i 


32 





0,047 


10 


54 





2 402 


20 


SO 


D 


B.9B<5 


TF5 


128 


3 


S4 


'40 



security parameter n = 72. 

Analysis of experimental results show that, the GV scheme 
is quite efficient than any other integer based SHE scheme 
existing. This drastic improvement in performance makes the 
GV scheme ready for deployment in suitable practical appli- 
cations. However, the evaluation results correspond to op- 
erations over the ciphertexts that encrypt single bits. Thus, 
the impracticality of the scheme now can be totally attributed 
to the size of the input function or circuit to the Evaluate® 
algorithm. Hence, the reduced complexities combined with 
the ability to encrypt many bits at once or integer plaintexts 
as done in [32] makes the scheme really practical. 



Table V. Comparison With Existing Implementations 



Algorithm 


CVEST 


CXT 


GV 


for ft = 72 


Scheme 


Scheme 


Scheme 




m 


P»] 


(Current 
work) 


Key Gen 


25S0 


37S 


0.062 


Encrypt 


177 


3 .4 





Decrvpt 


0.05 





0.047 


Evaluate 


Not 


41 


4.805 


(Multiplication) 


available 







C. Applications 

The GV scheme is suitable for all the applications which 
involve the functions that contain many additions, but, few 
multiplications. For example, as shown in Table IV the scheme 
supports nearly 40 multiplications for large instance. 

Lauter et al. [ 1 7] , Brakerski and Vaikuntanathan [ 1 0] [ 1 1 ] [ 1 9] 
and [26] have discussed the applications for which an SHE 
scheme is quite sufficient for encrypted data processing and 
allow the delegation of computation to a cloud server. The 
efficient GV scheme can be practically implemented in all such 
applications. There are two categories of applications for a 
homomorphic encryption scheme in practice [17]. 1) 
Applications that demand encryption of both data and 
functions to be computed, e.g. Cloud based financial 
information systems and 2) Applications that need only 
encryption of data, e.g. Cloud based healthcare services. 
Such applications involve simple statistical functions like 
average, standard deviation, and logistical regression. 
Evaluation of these functions requires many additions and 
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one or few multiplications. However, due to lack of proper 
methods for computing square roots and divisions on real 
numbers homomorphically, computation of such operations 
should be done after decrypting the encrypted sums and 
products. 

Another application area that is closely related to the 
homomorphic cryptography is Private Information Retrieval 
(PIR) [19] [10] [20]. In the PIR protocol, a large database is 
maintained by the cloud server and the customer likes to 
retrieve a particular entry from that database privately. 
Customer sends the encrypted index that is to be queried. 
The cloud server homomorphically evaluates the database 
access function to retrieve the required entry in the database 
in encrypted form using the encrypted index, and sends the 
result to the customer. Bitwise encryption of index is a 
drawback in such situations which leads to high 
communication complexity, and as a solution [10] proposes 
the use of a symmetric key encryption in combination with 
public key homomorphic scheme. 

Conclusions 

In this paper, an efficient variant of the DGHV's SHE 
scheme is presented with experimentation details. The 
security of the GV scheme proposed is based on the hard 
problem of solving the two-element PAGCD. Due to the smaller 
public key that contains two integers of size 0(« 3 ) each, the 
overall complexity is halved with reduction from 0(« 12 ) of the 
DGHV scheme to 0(« 6 ) in the GV variant. Experimental results 
prove that the performance of the proposed SHE is very close 
to the practicality. The applications for which the scheme is 
suitable for practical deployment are discussed. 
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